DataConnect + PGLite prototype.

.eslintrc.js

@@ -122,6 +122,7 @@ module.exports = {
   // TODO(jamesdaniels): add this to overrides instead
   ignorePatterns: [
     "src/dynamicImport.js",
+    "src/emulator/dataconnect/pg-gateway",
     "scripts/webframeworks-deploy-tests/nextjs/**",
     "scripts/webframeworks-deploy-tests/angular/**",
     "scripts/frameworks-tests/vite-project/**",

package.json

@@ -98,6 +98,7 @@
     ]
   },
   "dependencies": {
+    "@electric-sql/pglite": "^0.2.0",
     "@google-cloud/cloud-sql-connector": "^1.3.3",
     "@google-cloud/pubsub": "^4.5.0",
     "abort-controller": "^3.0.0",

src/emulator/controller.ts

@@ -68,20 +68,20 @@
 
 /**
  * Exports emulator data on clean exit (SIGINT or process end)
  * @param options
  */
 export async function exportOnExit(options: any) {
   const exportOnExitDir = options.exportOnExit;
   if (exportOnExitDir) {
     try {
       utils.logBullet(
         `Automatically exporting data using ${FLAG_EXPORT_ON_EXIT_NAME} "${exportOnExitDir}" ` +
           "please wait for the export to finish...",
       );
       await exportEmulatorData(exportOnExitDir, options, /* initiatedBy= */ "exit");
     } catch (e: any) {
       utils.logWarning(e);
       utils.logWarning(`Automatic export to "${exportOnExitDir}" failed, going to exit now...`);
     }
   }
 }
@@ -851,6 +851,7 @@
       configDir,
       rc: options.rc,
       config: options.config,
+      autostartPostgres: experiments.isEnabled("fdcpglite"),
     });
     await startEmulator(dataConnectEmulator);
   }

src/emulator/dataconnect/pg-gateway/README.md

@@ -0,0 +1,6 @@
+The code in this directory is a very slightly modified version of https://github.com/supabase-community/pg-gateway/tree/next.
+Full credit for this code goes to @gregnr and the other contributors on that repo.
+
+Due to some known issues with how PGLite handles prepared statements, this versiom of pg-gateway includes middleware
+to remove the extra Ready for Query messages that break schema migration. Once these underlying issues with PGLite are fixed,
+we'll migrate to a normal dependency on pg-gateway.

src/emulator/dataconnect/pg-gateway/auth/base-auth-flow.ts

@@ -0,0 +1,32 @@
+import type { BufferReader } from '../buffer-reader';
+import type { BufferWriter } from '../buffer-writer';
+import type { ConnectionSignal } from '../connection';
+import type { ConnectionState } from '../connection.types';
+
+export interface AuthFlow {
+  createInitialAuthMessage(): Uint8Array | undefined;
+  handleClientMessage(message: BufferSource): AsyncGenerator<Uint8Array | ConnectionSignal>;
+  isCompleted: boolean;
+}
+
+export abstract class BaseAuthFlow implements AuthFlow {
+  protected reader: BufferReader;
+  protected writer: BufferWriter;
+  protected connectionState: ConnectionState;
+
+  constructor(params: {
+    reader: BufferReader;
+    writer: BufferWriter;
+    connectionState: ConnectionState;
+  }) {
+    this.reader = params.reader;
+    this.writer = params.writer;
+    this.connectionState = params.connectionState;
+  }
+
+  abstract createInitialAuthMessage(): Uint8Array | undefined;
+  abstract handleClientMessage(
+    message: BufferSource,
+  ): AsyncGenerator<Uint8Array | ConnectionSignal>;
+  abstract get isCompleted(): boolean;
+}

src/emulator/dataconnect/pg-gateway/auth/cert.ts

@@ -0,0 +1,100 @@
+import type { PeerCertificate } from 'node:tls';
+import { createBackendErrorMessage } from '../backend-error';
+import type { BufferReader } from '../buffer-reader';
+import type { BufferWriter } from '../buffer-writer';
+import type { ConnectionState } from '../connection.types';
+import { BaseAuthFlow } from './base-auth-flow';
+import { closeSignal } from '../connection';
+
+export type CertAuthOptions = {
+  method: 'cert';
+  validateCredentials?: (
+    credentials: {
+      username: string;
+      certificate: PeerCertificate;
+    },
+    connectionState: ConnectionState,
+  ) => boolean | Promise<boolean>;
+};
+
+export class CertAuthFlow extends BaseAuthFlow {
+  private auth: CertAuthOptions & {
+    validateCredentials: NonNullable<CertAuthOptions['validateCredentials']>;
+  };
+  private username: string;
+  private completed = false;
+
+  constructor(params: {
+    auth: CertAuthOptions;
+    username: string;
+    reader: BufferReader;
+    writer: BufferWriter;
+    connectionState: ConnectionState;
+  }) {
+    super(params);
+    this.auth = {
+      ...params.auth,
+      validateCredentials:
+        params.auth.validateCredentials ??
+        (async ({ username, certificate }) => {
+          return certificate.subject.CN === username;
+        }),
+    };
+    this.username = params.username;
+  }
+
+  async *handleClientMessage(message: BufferSource) {
+    // biome-ignore lint/correctness/noConstantCondition: TODO: detect TLS state
+    if (false) {
+      yield createBackendErrorMessage({
+        severity: 'FATAL',
+        code: '08000',
+        message: `ssl connection required when auth mode is 'certificate'`,
+      });
+      yield closeSignal;
+      return;
+    }
+
+    // biome-ignore lint/correctness/noConstantCondition: TODO: detect if cert authorized
+    if (false) {
+      yield createBackendErrorMessage({
+        severity: 'FATAL',
+        code: '08000',
+        message: 'client certificate is invalid',
+      });
+      yield closeSignal;
+      return;
+    }
+
+    // TODO: get peer cert and validate through hook
+    const isValid = false;
+
+    // const isValid = await this.auth.validateCredentials(
+    //   {
+    //     username: this.username,
+    //     certificate:  this.socket.getPeerCertificate(),
+    //   },
+    //   this.connectionState,
+    // );
+
+    if (!isValid) {
+      yield createBackendErrorMessage({
+        severity: 'FATAL',
+        code: '08000',
+        message: 'client certificate is invalid',
+      });
+      yield closeSignal;
+      return;
+    }
+
+    this.completed = true;
+  }
+
+  override createInitialAuthMessage() {
+    return undefined;
+  }
+
+  get isCompleted(): boolean {
+    return this.completed;
+  }
+}

src/emulator/dataconnect/pg-gateway/auth/index.ts

@@ -0,0 +1,37 @@
+import type { BufferReader } from '../buffer-reader';
+import type { BufferWriter } from '../buffer-writer';
+import type { ConnectionState } from '../connection.types';
+import type { AuthFlow } from './base-auth-flow';
+import { CertAuthFlow, type CertAuthOptions } from './cert';
+import { Md5AuthFlow, type Md5AuthOptions } from './md5';
+import { PasswordAuthFlow, type PasswordAuthOptions } from './password';
+import { ScramSha256AuthFlow, type ScramSha256AuthOptions } from './sasl/scram-sha-256';
+import type { TrustAuthOptions } from './trust';
+
+export type AuthOptions =
+  | TrustAuthOptions
+  | PasswordAuthOptions
+  | Md5AuthOptions
+  | ScramSha256AuthOptions
+  | CertAuthOptions;
+
+export function createAuthFlow(options: {
+  reader: BufferReader;
+  writer: BufferWriter;
+  auth: AuthOptions;
+  username: string;
+  connectionState: ConnectionState;
+}): AuthFlow {
+  switch (options.auth.method) {
+    case 'password':
+      return new PasswordAuthFlow({ ...options, auth: options.auth });
+    case 'md5':
+      return new Md5AuthFlow({ ...options, auth: options.auth });
+    case 'scram-sha-256':
+      return new ScramSha256AuthFlow({ ...options, auth: options.auth });
+    case 'cert':
+      return new CertAuthFlow({ ...options, auth: options.auth });
+    default:
+      throw new Error(`Unsupported auth method: ${options.auth.method}`);
+  }
+}